base/protocols/krb/main.zeek

KRB

Implements base functionality for KRB analysis. Generates the kerberos.log file.

Namespace:

KRB

Imports:

base/protocols/conn/removal-hooks.zeek, base/protocols/krb/consts.zeek

Summary

Runtime Options

KRB::ignored_errors: set &redef

The server response error texts which are not logged.

Redefinable Options

KRB::tcp_ports: set &redef

Well-known ports for KRB over TCP.

KRB::udp_ports: set &redef

Well-known ports for KRB over UDP.

Types

KRB::Info: record

Redefinitions

Log::ID: enum

connection: record
New Fields:

connection

krb: KRB::Info &optional

Events

KRB::log_krb: event

Event that can be handled to access the KRB record as it is sent on to the logging framework.

Hooks

KRB::finalize_krb: Conn::RemovalHook

Kerberos finalization hook.

KRB::log_policy: Log::PolicyHook

Detailed Interface

Runtime Options

KRB::ignored_errors
Type:

set [string]

Attributes:

&redef

Default:
{
   "NEEDED_PREAUTH",
   "Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ"
}

The server response error texts which are not logged.

Redefinable Options

KRB::tcp_ports
Type:

set [port]

Attributes:

&redef

Default:
{
   88/tcp
}

Well-known ports for KRB over TCP.

KRB::udp_ports
Type:

set [port]

Attributes:

&redef

Default:
{
   88/udp
}

Well-known ports for KRB over UDP.

Types

KRB::Info
Type:

record

Fields:
ts: time &log

Timestamp for when the event happened.

uid: string &log

Unique ID for the connection.

id: conn_id &log

The connection’s 4-tuple of endpoint addresses/ports.

request_type: string &log &optional

Request type - Authentication Service (“AS”) or Ticket Granting Service (“TGS”)

client: string &log &optional

Client

service: string &log &optional

Service

success: bool &log &optional

Request result

error_code: count &optional

Error code

error_msg: string &log &optional

Error message

from: time &log &optional

Ticket valid from

till: time &log &optional

Ticket valid till

cipher: string &log &optional

Ticket encryption type

forwardable: bool &log &optional

Forwardable ticket requested

renewable: bool &log &optional

Renewable ticket requested

logged: bool &default = F &optional

We’ve already logged this

client_cert: Files::Info &optional

(present if base/protocols/krb/files.zeek is loaded)

Client certificate

client_cert_subject: string &log &optional

(present if base/protocols/krb/files.zeek is loaded)

Subject of client certificate, if any

client_cert_fuid: string &log &optional

(present if base/protocols/krb/files.zeek is loaded)

File unique ID of client cert, if any

server_cert: Files::Info &optional

(present if base/protocols/krb/files.zeek is loaded)

Server certificate

server_cert_subject: string &log &optional

(present if base/protocols/krb/files.zeek is loaded)

Subject of server certificate, if any

server_cert_fuid: string &log &optional

(present if base/protocols/krb/files.zeek is loaded)

File unique ID of server cert, if any

auth_ticket_sha256: string &log &optional

(present if policy/protocols/krb/ticket-logging.zeek is loaded)

SHA256 hash of ticket used to authorize request/transaction

new_ticket_sha256: string &log &optional

(present if policy/protocols/krb/ticket-logging.zeek is loaded)

SHA256 hash of ticket returned by the KDC

auth_ticket: string &log &optional

(present if policy/protocols/krb/md5-ticket-logging.zeek is loaded)

MD5 hash of ticket used to authorize request/transaction

new_ticket: string &log &optional

(present if policy/protocols/krb/md5-ticket-logging.zeek is loaded)

MD5 hash of ticket returned by the KDC

Events

KRB::log_krb
Type:

event (rec: KRB::Info)

Event that can be handled to access the KRB record as it is sent on to the logging framework.

Hooks

KRB::finalize_krb
Type:

Conn::RemovalHook

Kerberos finalization hook. Remaining Kerberos info may get logged when it’s called.

KRB::log_policy
Type:

Log::PolicyHook